This policy contains a rule used to filter events based on conditional logic. Although a contrived sample, this policy is more an example of conditional logic because the single action vetos the current operation when the conditions are met.

The first condition tests if the source dn originates outside a given container, specifically a "Users" container. The second condition tests if the Login Disaled attribute is true. The third condition tests if the Title attribute matches a regular expression of ".*consultant|sales.*", which reads as "any character zero or more times, followed by either the word 'consultant' or 'sales', followed by any character zero or more times".

Remember that regular expressions are case-insensitive by default. Since the conditions are logically or'd, if any are true, the operation is vetoed. So, the operation has to originate from the specified container, Login Disabled must NOT be true (account is enabled), and the Title must NOT contain 'Consultant' or 'Sales'. It is designed for the Event Transformation policy set on the Subscriber channel in order to filter events as they come in, but it could be modified for use anywhere appropriate. In order to filter events, this policy should be placed first in the chain.